I am setting out to create a thin web UI that consists of only HTML, CSS, and Javascript (HCJ) for the front end. For the back end, I have Ajax-enabled WCF services.

I have a couple of options for authentication.

Options:

Authenticate with username and password every time a service is called.

Store the username and password once, then store the credentials in the session or a cookie or a javascript variable and pass them every time I call a subsequent service.

Authentication to one WCF service, then store a token.

Option 1 – Authenticate every time

This is not acceptable to the users. It would be a pain to type in credentials over and over again when clicking around a website.

Option 2 – Authenticate once and store credentials

This option is not acceptable because we really don’t want to be storing credentials in cookies and headers. You could alleviate the concern by hashing the password and only storing the hash, but that is still questionable. It seems this might cause the username and password to be passed around too often and eventually, your credentials will be leaked.

Option 3 – Authenticate once and store a token

This option seems the most secure. After authenticating, a token is returned to the user. The other web services can be accessed by using the token. Now the credentials are not stored. They are only passed over the network at authentication time.

Secure Token Service

This third idea is the idea around the Secure Token Service (STS). However, the STS is designed around the idea of having a 3rd party provide authentication, for example, when you login to a website using Facebook even though it isn’t a Facebook website.

STS service implementation is complex. There are entire projects built around this idea. What if you want something simpler?

Basic Token Service (BTS)

I decided that for simple authentication, there needs to be an example on the web of a Basic Token Service.

In the basic token service, there is a the idea of a single service that provides authentication. That service returns a token if authenticated, a failure otherwise. If authenticated, the front end is responsible for passing the token to any subsequent web services. This could be a header value, a cookie or a url parameter. I am going to use a header value in my project.

Note: In the project, there is an xdt:Transform for the web.config.debug and the web.config.release if you use web deploy. These enforce that the web services that make them only use HTTPS. Check them out.

Models

Now we are going to have a single class in the Model for this basic example, a Credentials class.

1) The authenticate on this and the database, the only two I have tried do not work, I get an 'The incoming message has an unexpected message format 'Raw'. when submitting using the postman utility. If I switch to urlencoded, I get into the program but no matter what I do with the data it does not get passed into the program.

Also, the screen print of postman was wrong on the Test1Service.Test (first of all, you cannot see the full url entry) and it didn't work unless I put the parameters into the header.

I would like to use this as a model for my solution but I cannot get the Authenticate to pass variables. Not sure what id different from your API implementation from mine but passing in the body pulls my data out but I am not getting anything in your example. When it works thru encoding.

Let me know, Thanks, the sample app is pretty awesome and when the kinks get worked out, whether it is environment or whatever, it will be the best example on the web. I can say that with assurance since I feel like I have seen them all.

My other blogs

Entries (RSS) and Comments (RSS). Copyright ® Rhyous.com Linking to content on this site is allowed without permission and as many as ten lines of any article can be used along with such link. Any other use of the content is allowed only by permission of Rhyous.com.